HTTP-authentication-01.txt comments

On Mon, 13 Apr 1998, Dave Kristol wrote:

> 3.2.3 The Authentication-Info Header
> cnonce and qop are used in the calculation of response-digest.  The
> client is not required to send either cnonce= or auth=.  So I assume
> (correct?) that the null string is used for values for omitted
> attributes in the calculation.
> If (to use cnonce as the example) cnonce was omitted, should
> Authentication-Info omit cnonce, or should it send cnonce=""?  Same
> question for auth.

It might be better to say that Authentication-Info should only be
sent if qop (and hence cnonce) are present.

Another question: Unless I am mistaken, at one point in the long
sequence of digest drafts, the Authentication-Info header could be
supplied by either the server or the client.  It would be useful
for the client to be able to supply the digest of POSTed data
or a file which is PUT.  Being able to assure the integrity of
client supplied data would be very useful.  Did this fall through
the cracks, or am I just missing this functionality somewhere in
the draft?

John Franks

Received on Tuesday, 14 April 1998 09:47:47 UTC